Yealink has thanked Positive Technologies for discovering the critical vulnerability BDU:2024-00482 in its Yealink Meeting Server videoconferencing system.
Yealink is the world’s number-one VoIP provider and one of the five biggest online conferencing vendors. Its products are used in 140 countries. The vendor was notified of the threat in line with the responsible disclosure policy and released a software patch.
PT SWARM experts found that an adversary who compromised Yealink Meeting Server at the external perimeter could develop the attack on the LAN if the latter lacked an adequately set up demilitarised zone[1]. By exploiting the flaw, the malicious actor gained initial access to the corporate segment.
In mid-January, Positive Technologies’ security expert centre estimated the number of vulnerable systems allowing an authenticated attacker to infiltrate the LAN at 131. The countries with the largest share of installations are China (42%), Russia (26%), Poland (7%), Taiwan (4%), Germany (2%), Brazil (2%), and Indonesia (2%).
The vulnerability is categorized as OS Command Injection (CWE-78) and allows injecting operating system commands. Attackers can leverage this type of flaws to gain access to OS password files, application source code, or completely compromise the web server. In 2023, Positive Technologies experts came across this type of vulnerability while doing security analysis and penetration testing in 5% of cases.
Yealink registered the vulnerability as YVD-2023-1257833. To remediate the flaw, which received a CVSS 3.0 score of 9.9, Yealink Meeting Server has to be updated to version 26.0.0.66.
An attempt to exploit YVD-2023-1257833 can be detected with PT Network Attack Discovery, a network traffic analysis (NTA) system, which already contains the necessary rules.
OS Command Injection vulnerabilities can be reliably detected and blocked by web application firewalls, such as PT Application Firewall, or its cloud-based version, PT Cloud Application Firewall. MaxPatrol VM is another tool that detects infrastructure flaws. To lower the risks, we recommend using EDR security tools, such as MaxPatrol EDR. This solution helps to detect malicious activity, alerts the SIEM system, and prevents the adversary from carrying on the attack.
Earlier, in 2021, Positive Technologies experts found vulnerabilities in Zoom: malicious actors could intercept any data from private videoconferences and attack corporate subscribers’ infrastructures.
[1] A segment of the LAN accessible from the Internet and isolated from other resources.